You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Hijackthis Log. Please Help Diagnose

Hi, After all kinds of problems with my computer, mainly with hanging and unresponsiveness, And doing all sorts of scans, I have finally arrived at this site and would be very grateful for any advice on the following log.

I personally use AVG Free, but all these programs have good reputations. If you don't like one, you can try another. Please consult the help files or online support for information on installing, updating, and using the program.

Once you have installed and updated an Antivirus, run a full system scan. Save the report and post it to your next reply.

Next item: you are running HijackThis from your desktop. This is bad because backups can be accidentally deleted. Please install a copy in its own folder, as follows:First, delete the HijackThis file currently on your computer.

Next, double-click the HijackThis_SFX.exe file icon. A window will open. Accept the default installation folder by clicking Unzip on the right side of the window.

Navigate to the program by double clicking My Computer, C:, Program Files. Find the HijackThis folder and double-click it to open.

If you would like to make a shortcut for your Desktop so it's more easily accessible, right click the HijackThis icon (it looks like a detonator with some dynamite sticks) and choose Send To > Desktop (create shortcut) .Open HijackThis and run a scan. Place a check next to the following line:O16 - DPF: {FFFF0018-0001-101A-A3C9-08002B2F49FB} - http://www.topfreepornsex.com/sexsex/freepornsex.exe

Make sure all other windows are closed, and there are no programs -- especially your browser -- running minimized in your system tray. Then click Fix checked.

Unless these restrictions were placed there by Spyware Doctor, you should fix this line as well.

After fixing the line(s) in HijackThis, reboot your computer. Run a HijackThis scan, and save the log. Leave HijackThis open.

Then click Config, click Misc ToolsClick "Open Uninstall Manager"Click "Save List" (generates uninstall_list.txt)Click Save, copy and paste the results in your next post.More information with a screenshot, can be found here.

Post the uninstall list, the HJT log, and the antivirus program log to your next reply.

Hi, Thank you for your reply.I have followed the instructions and please find below the uninstall list, and the HJT log.You say there is no evidence of any antivirus software, but I do have Spyware Doctor installed and running, its just possible that my son disabled it temporarily just before I posted my last HJT log.I installed AVG Free and ran a full scan which showed nothing wrong whatsoever, and then uninstalled it and ran Spyware Doctor which showed 13 tracking cookies, low risk and 3 trojans, high risk, which it dealt with.I have also run spybot which said all clear.I am not clear what you mean by 'antivirus program log' as I could not find any reference to it on either of the above mentioned scanners .

Spyware Doctor is an excellent antispyware program, but it is not an antivirus. You need both. Please reinstall AVG, update it, and start using it. Read the information on the AVG web pages to set up the program for automatic updates.

Another issue is that I see no evidence of a firewall on your computer. You may have the built-in Windows firewall enabled, however that only blocks unauthorized traffic into your computer. It is better to use a third-party software firewall, which can block unauthorised traffic both out of and into your computer. I recommend you download and install one of these excellent (and free) products:

You still have several earlier versions of Java installed on the computer. Earlier versions have serious security vulnerabilities. Click Start, Control Panel, then double click Add/Remove Programs. When the list is populated scroll down to these entries:

J2SE Runtime Environment 5.0 Update 10

J2SE Runtime Environment 5.0 Update 11

J2SE Runtime Environment 5.0 Update 2

J2SE Runtime Environment 5.0 Update 5

J2SE Runtime Environment 5.0 Update 6

J2SE Runtime Environment 5.0 Update 9

Java 2 Runtime Environment, SE v1.4.2_05

Highlight one of these entries and select Remove, then follow the prompts to complete the removal. Repeat for each item on the list.

Your Uninstall list also shows several gambling and/or porn programs. The use of these programs is your prerogative, but I should warn you that these types of programs often come bundled with spyware or adware. Websites that feature such content are dangerous no matter how good your security software is.

That's all I'm seeing in your new logs. There are no signs of malware. However, the Spyware Doctor Trojan report needs a little followup.

Please download Combofix to your desktop.Doubleclick combo.exe to launch the application.Follow the prompts that will be displayed on the screen.Don't click on the window while the fix is running, because that will cause your system to hang.When finished, it should produce a log, combofix.txt.Post this log in your next reply together with a new hijackthislog.

Note: before copying and pasting the log files, please click on Format in the Notepad menu bar, and make sure that Word Wrap is Unchecked. This will make the files much easier to read.

Combofix shows you had a backdoor on your system. It appears to be a newer variant of the one described in this writeup.

A backdoor gives a hacker access to your computer, including any and all personal information, such as passwords, logon IDs, and account numbers. Since we are not sure about this computer, please go to a clean computer and change all your passwords. Notify your bank, credit card companies, and other institutions that you may be a victim of identity theft. Here are some links:

Folders with names like these are common, but I don't usually see them in the root directory (C:\).

Do you know what these folders are about? They appear to have been created at about the same time, probably as part of installing or updating a piece of software. If you don't know what they are, could you please navigate to these folders and see if they are empty? If not, please open one or two of them and see if they contain many files. If only a few, please write down the file names. If many, let me know, I'll write a batch file to create a list.

Hi Dave,Looks like you are saving me from disaster, and I am extremely grateful to you for all your help.please see below the hjt log as requested.

I have only just read your last reply and have not been to a clean computer as yet, but will be on my way later this afternoon.

With regard to the folders you highlighted, they each contain the following 3 files, DATA.CAB which windows cannot open

Manifest. qrm ditto

Manifest.ini which contains the following

[QUARANTINE]ID={80010297-0000-0000-D80E-5DCC4D912F39}VERSION=1.2701RESOURCES=8[TIMESTAMP]VALUE=0x1C7B5DC86EBB3D8[INFECTION_INFO]NAME=Trojan:Java/Classloader.DTHREATID=2147549847[RESOURCE1]SCHEMA=fileNAME=\\?\C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.zip-705ab05a-7a31f1e5.zipNAMESIZE=129ATTRIBUTES=32PHYSPATH=C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.zip-705ab05a-7a31f1e5.zipPHYSSIZE=125[RESOURCE2]SCHEMA=fileNAME=\\?\C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.zip-296f36d-5902fc79.zipNAMESIZE=128ATTRIBUTES=32PHYSPATH=C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.zip-296f36d-5902fc79.zipPHYSSIZE=124[RESOURCE3]SCHEMA=fileNAME=\\?\C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-71c172b1-51d4cd69.zipNAMESIZE=124ATTRIBUTES=32PHYSPATH=C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-71c172b1-51d4cd69.zipPHYSSIZE=120[RESOURCE4]SCHEMA=fileNAME=\\?\C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\6.0\63\3441143f-756dc417NAMESIZE=103ATTRIBUTES=32PHYSPATH=C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\6.0\63\3441143f-756dc417PHYSSIZE=99[RESOURCE5]SCHEMA=fileNAME=\\?\C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\6.0\44\64a3ff6c-1ca9394dNAMESIZE=103ATTRIBUTES=32PHYSPATH=C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\6.0\44\64a3ff6c-1ca9394dPHYSSIZE=99[RESOURCE6]SCHEMA=fileNAME=\\?\C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\6.0\35\7cd527a3-29cddbf7NAMESIZE=103ATTRIBUTES=32PHYSPATH=C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\6.0\35\7cd527a3-29cddbf7PHYSSIZE=99[RESOURCE7]SCHEMA=fileNAME=\\?\C:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-703dbc67-6dcac985.zipNAMESIZE=125ATTRIBUTES=32PHYSPATH=C:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-703dbc67-6dcac985.zipPHYSSIZE=121[RESOURCE8]SCHEMA=fileNAME=\\?\C:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-3ec2b186-5a6fdab4.zipNAMESIZE=125ATTRIBUTES=32PHYSPATH=C:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-3ec2b186-5a6fdab4.zipPHYSSIZE=121

The most important order of business for you is to take those precautionary steps I mentioned in my last post. Not only changing all passwords, but also notifying your bank and credit card companies. That backdoor may not have stolen your finanancial data, but it could have. You cannot afford to take a chance.

Okay, back to your current situation.

Thanks for posting the contents of the .ini file Those folders appear to have been created by some malware removal program. They are harmless.

It looks like you removed all the versions of Java including the latest one. Your log now shows MSJava running. This is even older than the Sun java versions I had you remove earlier.

Please download the MSJavaVM removal tool from this web page. Use the link for the Softpedia Secure Download. Download the file to your desktop and double click to run it. Click Yes, then type in a folder to install the files (I suggest C:\Temp). Then navigate to that folder, find the file unmsjvm.exe, and double click the icon to run it. Click yes, then click the I accept radio button, and click Next. When the removal is done click Finish.

After removing that old java version please reinstall the latest version of Sun Java. Open your browser and go to this web page to get the latest version. Scroll dow to the middle of the page where you will find Java Runtime Environment (JRE) 6u2. Click Download which will take you to the secure download page. At the top, select the Accept License Agreement button. Then look to the first block for the J2SE downloads for the Windows Platform. You can choose either the Online or Offline installation version; unless you have several computers you need to upgrade, I suggest the Online version.

Download the file to your desktop, close your browser, and double click the file icon to begin installation.

If you have trouble with the Online installation, you can download the big Offline file and install it with your browser closed.

Finally, please run an online scan. You will have to use Internet Explorer for this.

First go to the Kaspersky online scanner. Accept the terms, let it install an ActiveX program (since you have XP SP2 this is blocked by default, you must allow it), then accept the terms again, let it download the files (about 8 MB total). Click Next, and select "My Computer" as the scan area. Kaspersky takes a long time but it is very thorough. When it is finished, save the report as a text file (easier to work with than an HTML file) to your desktop.

Please post the Kaspersky log and a fresh HJT log in your next reply. Also, let me know how the machine is running.

Kaspersky Online ScannerWelcome to the Kaspersky Online Scanner! Use it to scan your PC for viruses and other malware for free Warning: if you have installed Kaspersky Online Scanner Pro, please manually uninstall it using "Add/Remove Programs" before installing this version! Otherwise this version will not function correctly.

When using this service for the first time, you have to run with Administrator privileges in order to install the product. Also, you will need to download and install files about 400 KB in size followed by 9 MB of virus definitions. However, if you use the Online Scanner again, you will only need to download the files that have been updated since your last scan. The Online Scanner service offered by Kaspersky Lab uses Microsoft ActiveX technology. Microsoft ActiveX Technology and the Kaspersky Online Scanner work only with MS Internet Explorer 6.0 or higher. We cannot guarantee that the Online Scanner will function correctly if you are using any other browser or any Internet Explorer extensions (such as AvantBrowser). If you use a different browser, you can use the Kaspersky File Scanner to scan individual files. The free Kaspersky Online Scanner does not scan boot sectors and MBRs, so it cannot detect malicious code located in these areas. Please note: The free Kaspersky Online Scanner does not protect against malicious code, and cannot prevent future infections. It only detects malware that has already penetrated your computer. We strongly recommend that you install a full antivirus solution to protect your system.

Privacy statement:

The Kaspersky Online Scanner will collect information about the malicious programs found on your computer during the scanning process. The information will be sent to the Kaspersky Virus Lab for statistical purposes. No personal information about you or specific information about your system will be collected or transmitted to Kaspersky Lab.

Select: All, None, Suspicious Selected objects: 0

Scan settings: Here you can configure the scanning process.

Scan using the following antivirus database: standard - detect viruses, worms, Trojans, rootkits extended - protect your computer from Spyware, adware, dialers and potentially dangerous software such as remote access utilities, prank programs and jokes. We do not recommend this option to beginners or inexperienced users.

Report is empty. Please note: The free Kaspersky Online Scanner does not provide comprehensive protection and cannot prevent future infections. It only detects malware that has already penetrated your storage devices. We strongly recommend that you use a fully-functional antivirus solution to protect your computer at all times.

Please wait, this process may take a long time depending on the selected target. If you want to continue browsing, open a new window.

Scan Progress [99%]:

Total number of scanned objects:83504 Number of viruses found:12 Number of infected objects:61 Number of suspicious objects:0 Duration of the scan process:01:27:16 Stop Scan

Get a Free Trial

Buy Kaspersky Anti-Virus

Help

Virus Encyclopedia

Kaspersky Lab

Product Info You have Kaspersky Online Scanner version 5.0.93.0 installed. The current anti-virus database was released on Wednesday, July 04, 2007 and contains 357765 records.

The cisvc.exe report makes a lot of sense, but there are two possibilities. There is a legitimate but optional Windows service by that name which sometimes causes the trouble you describe. However there is also malware that uses that filename as a way to disguise itself. I need more information to find out what the problem is in this case.

Looks like we did not get the information from Kaspersky. Was the scan stopped before it completed by any chance?

Let's try a different scan. Again this one requires Internet Explorer.

It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

When download is complete, click on My Computer to start the scan

When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

It sounds like your son has a separate account on this computer. If this is the case, I would like you to log onto his account and run a HijackThis scan. Post the log to your next reply, along with the Panda log. His log will be a little different from the one done while logged onto your account, and it may reveal something about why he is having a problem that you apparently are not.

Get ATF Cleaner here . It does not require installation, just download it to your desktop. Double-click the ATFCleaner icon on your desktop to launch the program. For this first run, check the select all box on the main page, then click Empty selected. Then, if you use Firefox or Opera, click on the appropriate tab and repeat the same drill.

Clear your Norton Quarantine folder. If you don't know how to do this, here's a link to a tutorial:

As Kaspersky says, this is adware, as many gambling programs are. It's your choice, but I suggest you uninstall it. Click Start, Run, then double click Add or Remove Programs. When the list is populated, scropp down to Pacific Poker and click to select it, then click Remove.

Next, use Explorer to navigate to and delete the following files:

C:\Program Files\test\egIEEngine.dllC:\Program Files\test\GMT.exe

Next we need to take care of those orphaned R3 lines in your HijackThis log.

Copy the entire contents inside of the QUOTE box into Notepad, press <Enter> to add a blank line. On the taskbar, click File, then in the Save In box navigate to and highlight your Desktop. In the File Name box type or paste in remove.reg and in the Save as type box select All files. Click Save, then close Notepad.

Go to the Desktop and DoubleClick Remove.reg, hit yes at the prompt to add its contents to the Registry.

Finally, HijackThis has been updated to a new version. Please remove your old version, then go to this web page and read the instructions. Then download and install the new version, open it and run a scan. Post the log to a reply here. Let me know if you had any problems with any of the steps here.

Hi Dave, I have done as advised above, EXCEPT for clearing Norton Quarantine folder.Norton is no longer installed on this machine and I dont know how to find that folder if it still exists.

Also the Pacific Poker file is something my son needs apparently so have had to leave that.

Below you will find the latest hjt log.

Finally, yesterday I recieved a windows stop error, something to do with a device driver [someone else was using it at the time and did not get any details] and 'windows has encountered a problem it cannot recover from and it needs to be restarted.

It has been ok since.

Thank you.

paul

PS, this machine is 3 or 4 years old, do you think updating drivers is long overdue, if so where is best place to go for this and is there any test we can carry out to see what we have ?

Note that you only need to perform steps one and two, since you have no interest in reinstalling the program.

After you run the tool, please confirm that the quarantine files are gone by navigating to C:\Program Files\ and checking to see if the folder Norton AntiVirus exists there. If it does, delete it. Let me know what you find and whether you manage to get rid of it.

Regarding drivers: I don't recommend an update unless there's a problem. However, the only stop error I have had on my computer was driver related. What's more, give Microsoft credit, the driver was clearly identified in the stop error message. Updating to the latest driver cured the problem.

So, my advice would be: first, notify everyone who uses the computer that they are not to reboot it or take any other action if they see a BSOD (Blue Screen of Death). Then, make sure the computer is not configured to reboot automatically when this happens. Here's how you do that:

1. Click Start, then Right-click My Computer, and then click Properties.2. Click the Advanced tab, and then under Startup and Recovery, click Settings.3. In the System Failure section, look at the check boxes and make sure Automatically Restart is unchecked. If the box contains a check mark, click it to remove.

Then wait until it happens again. When it does, write down the exact error message. It will probably tell you which driver caused the problem, and you can then search the internet for a later driver.

If you need help locating the latest driver for a particular piece of hardware, I suggest posting a new topic on the Bleeping Computer hardware forum. The experts there can help you quicker and probably better than I can with this type of question. However, I will be glad to assist you if you prefer.

I have a question about your HJT log. There's a line that was not there before:

Is this a setting that was done deliberately, by you or another user? about:blank is a notorious symptom of the old CoolWeb infection, which however is about extinct now and easily dealt with by current antispyware programs.

Finally, run a fresh HJT scan and post the log to a reply here. Tell me how the computer is running, what you know about that about:blank, and if you had any trouble with removing Norton or any other steps.

The Norton Removal tool does not seem to work on my machine.It says it may take a few minutes, and dont touch anything, but I ran it for 1 hour, then 1 1/2 hours, then finally 2 1/2 hours and on each occasion it got to about 60% done in 10 seconds and there it stayed.I cant believe it would take that long to uninstall some bits and pieces, but if you think I should run it overnight I will.

The 'about:blank thing we know nothing about, and we certainly have not put it there ourselves.